Not secure

[plaidbear]

Hello. I have recently set up Trilium Next using docker and have it proxied by traefik using a dynamic directory file provider. It's being proxied and my letsencrypt cert is being used but any browser complains that the URL is "Not secure". There are no errors in traefik and I've got quite a number of off host proxied services working just fine. The only thing I can see that's off is that the browser console seems to show mixed traffic not lining up with the cert. I see the error: "Resources - active content with certificate errors"
"You have recently allowed content loaded with certificate errors (such as scripts or iframes) to run on this site." I've tried a few traefik tricks for force SSL but with no success. I skimmed the docs again for missed steps or these discussions for similar issues but didn't see anything. Thanks!

[dosubot[bot]]

Hi @plaidbear! I'm Dosu and I’m helping the Trilium team.

The "Not secure" warning and mixed content errors are usually caused by Trilium generating HTTP URLs for some resources when it's behind a reverse proxy like Traefik. This happens if Trilium doesn't trust the proxy headers, especially X-Forwarded-Proto, which tells it the original request was HTTPS. If Trilium doesn't trust these headers, it may serve some resources over HTTP, triggering browser security warnings.

To fix this, make sure your Traefik config sets the following headers for Trilium:

- traefik.http.services.svc-triliumNext.loadBalancer.server.scheme=http
- traefik.http.routers.rtr-triliumNext.entryPoints=https
- traefik.http.routers.rtr-triliumNext.rule=Host(`your.domain.tld`)
- traefik.http.routers.rtr-triliumNext.service=svc-triliumNext
- traefik.http.middlewares.trilium-headers.headers.customrequestheaders.X-Forwarded-Proto=https

And in your Trilium container, set the environment variable (or in config.ini):

TRILIUM_NETWORK_TRUSTEDREVERSEPROXY=true

or set it to the IP address of your Traefik proxy. This tells Trilium to trust the forwarded headers and generate HTTPS URLs for all resources, preventing mixed content and certificate errors. See the docs and config examples and the recent configuration update for more details.

If you still see errors, use your browser's developer tools (Network tab) to identify which resources are being loaded over HTTP or have certificate issues. This will help pinpoint any remaining misconfigurations.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[plaidbear]

Hi @dosu. Thanks for the quick response! I made changes based on your advice and seem to have gotten things working. For my setup I am using docker with portainer and portainer_agent with multiple hosts. For those stacks off the main host, I am using a file provider with a dynamic folder so I have a trilium.yaml instead of labels. Using the recommended header forward and redirects I still had an issue. It wasn't until I added the trusted reverse proxy env variable in the compose file that things started working. I had to add the IP of the remote proxy, simply 'true' didn't work. For the sake of knowing, I tried setting a /24 range and that didn't work, it had to be the actual IP. To be honest, I am not 100% confident which of these changes helped or if all of the changes helped. The mess that is browser caching was a real thorn in the process. While working at this issue I also realized that Trilium is a single user setup. In anticipation of running more instances I essentially started from scratch and remade the stack. I renamed services specific to the user and changed proxy side ports (eg 8087:8080) to avoid conflicts. In any event, it works. Thank you!